RSD gets information about the subnets from the information reported back by the agents - so any subnet that has an agent on it, and which is not covered by a sensor, will be listed as unmanaged. So if you don't have any sensors deployed at all, by definition all your subnets will be shown as uncovered.
I understand that. However, my epo server also has on the dashboard a pane that is titled Rogue System Interfaces By Subnet. If there are no sensors out in my environment how does epo know these are rogue systems which they are in fact.
Okay, that makes slightly less sense
Can you post a screenshot of the detected systems page?
We have the same thing in our enviornment. The ePO server sees everything that talks to it, and classifies it. So, in theory, all of the agents talking to it should be managed. However, we've found that when machines have multiple MAC addresses associated with them, either because of VPN, wireless cards, or some other networking hiccup, the server becomes confused. It labels one of the MAC addresses as rogue, even though it's getting the information from a managed agent residing on the device.
Okay, definitely confusing
As far as I know it's not possible for ePO to flag machines as rogue unless they are detected by a sensor. Is it possible that you had a sensor active at some point and removed it? Or was this an upgrade from a previous version that may have had RSD data in the database?
Just trying to rule out the obvious first...
Can't speak for the OP, but there are no rogue sensors in our enviornment, and never have been. Additionally, there are new alerts coming in regularly, both managed devices and rogues. We had to add an accepted OUI to our database in order to get the VPN machines to stop being detected as rogue. That stopped the majority of our false rogue detections, but we still get things like this when real rogue devices are detected:
Last Detected Time 5/6/2010 17:49 Detection Source McAfee Agent
It doesn't say which agent made the detection. I assume it's the ePO server because a normal agent shouldn't be able to act as a sensor
Something to note is that RSD 2.0 and RSD 4.5 server (not sensor) can view the McAfee Agent as a 'detection source'.
When the Agent checks in to the ePO server it will occasionally update the Detected System information with data from the Agent directly, this is reflected where the Detection Source shows as 'McAfee Agent'.
The Agent as a detection source check only happens once every 7 days, and is not currently configurable. It's my understanding you would not need an RSD sensor anywhere to see this.
Perhaps this will help in understanding what's being seen here.
That's very interesting. I was unaware that a standard agent without a sensor could behave that way.
Currently, we have a ePO 4.5 p1 server with RSD extension 18.104.22.1681. The vast majority of our agents are running MA 4.5. the situtation you're describing does seem to apply to our enviornment.
I'm not sure I understand what sort of data the agent would be sending back? It's obviously reporting on more than just it's own configuration because we do see true rogue detections come through for a handful of other windows systems. But at the same time, it's obviously not an equivelent to a true RSD sensor because it would see a LOT more rogue devices (linux, cisco, etc.) if it did. I would even expect it to flag more windows devices than it currently does.
Are there any sort of guidelines or KBs that explain how the MA evaluates and reports it's findings?